Second day of rolling blackouts starts
Hank Nussbacher
hank at att.net.il
Sun Jan 21 13:16:37 UTC 2001
At 09:43 19/01/01 -0500, Marshall Eubanks wrote:
>Two people have asked me off list about the RAMEN worm,
>which affects Linux Redhat distro's. Here is brief description of the
>worm, and a link to more,
>from Lucy Lynch at Internet2 / UOregon.
>
>The multicast implications :
>
>This worm scans a portion of the multicast address space. These scans
>(packets)
>are viewed as new multicast sources by a PIM multicast enabled router,
>which encapsulates
>them and sends them to its RP. The RP creates MSDP Session Announcements
>FOR EACH SCAN
>and floods them to every RP neighbor it has in "nearby" AS's, and those
>repeat the process.
>The result is a MSDP packet storm. We have gotten 15,000 SA's a minute.
>Dealing with these
>can melt down routers. (We had to reboot a Cisco 7204, for example,
>which apparently either filled
>up or fragmented its memory beyond usability.)
>
>I think it is fair to say that the question of rate limiting and other
>DOS filtering in
>PIM/SSM/MSDP multicast is getting serious attention now.
I have installed on my multicast tunnels (one to StarTap and the other to
Dante/Quantum):
rate-limit input access-group 180 128000 30000 30000 conform-action
transmit exceed-action drop
!
access-list 180 permit tcp any any eq 639
access-list 180 permit udp any any eq 639
access-list 180 deny ip any any
IANA has MSDP listed as port 639 - tcp+udp. It appears MSDP is only really
TCP:
mcast#sho access-l 180
Extended IP access list 180
permit tcp any any eq 639 (1555 matches)
permit udp any any eq 639
deny ip any any (37888 matches)
and
mcast#sho in rate
Tunnel1 Mbone tunnel to Dante
Input
matches: access-group 180
params: 128000 bps, 30000 limit, 30000 extended limit
conformed 755 packets, 60044 bytes; action: transmit
exceeded 0 packets, 0 bytes; action: drop
last packet: 388ms ago, current burst: 0 bytes
last cleared 00:07:26 ago, conformed 1000 bps, exceeded 0 bps
Tunnel2 Mbone tunnel to Startap
Input
matches: access-group 180
params: 128000 bps, 30000 limit, 30000 extended limit
conformed 909 packets, 148937 bytes; action: transmit
exceeded 0 packets, 0 bytes; action: drop
last packet: 1048ms ago, current burst: 0 bytes
last cleared 00:08:48 ago, conformed 2000 bps, exceeded 0 bps
I'll only know tomorrow if I stop getting the constant:
Jan 21 14:00:03: %SYS-3-CPUHOG: Task ran for 6300 msec (123/75), process =
MSDP Process, PC = 60790390. -Traceback= 60790398 604146B4 604146A0
error messages. I don't know whether 128kb/sec of MSDP is too much or too
little.
-Hank
>Marshall Eubanks
>
>
>"Lucy E. Lynch" wrote:
> >
> > a bit more info on ramen here:
> >
> > http://members.home.net/dtmartin24/ramen_worm.txt
> >
> > "And now, the contents of that ramen.tgz file: All the binaries are in the
> > archive twice, with RedHat 6.2 and RedHat 7.0 versions. Numerous binaries
> > were not stripped, which makes the job of taking them apart easier."
> >
> > asp: An xinetd config. file that will start up the fake webserver
> > Used on RedHat 7.0 victim machines.
> > asp62: HTTP/0.9-compatible server that always serves out the file
> > /tmp/ramen.tgz to any request - NOT stripped
> > asp7: RedHat 7-compiled version - NOT stripped
> > bd62.sh: Does the setup (installing wormserver, removing vulnerable
> > programs, adding ftp users) for RedHat 6.2
> > bd7.sh: Same for RedHat 7.0
> > getip.sh: Utility script to get the main external IP address
> > hackl.sh: Driver to read the .l file and pass addresses to lh.sh
> > hackw.sh: Driver to read the .w file and pass addresses to wh.sh
> > index.html: HTML document text
> > l62: LPRng format string exploit program - NOT stripped
> > l7: Same but compiled for RedHat 7 - stripped
> > lh.sh: Driver script to execute the LPRng exploit with several
> > different options
> > randb62: Picks a random class-B subnet to scan on - NOT stripped
> > randb7: Same but compiled for RedHat 7 - NOT stripped
> > s62: statdx exploit - NOT stripped
> > s7: Same but compiled for RedHat 7 - stripped
> > scan.sh: get a classB network from randb and run synscan
> > start.sh: Replace any index.html with the one from the worm; run getip;
> > determine if we're RedHat 6.2 or 7.0 and run the appropriate
> > bd*.sh and start*.sh
> > start62.sh: start (backgrounded) scan.sh, hackl.sh, and hackw.sh
> > start7.sh: Same as start62.sh
> > synscan62: Modified synscan tool - records to .w and .l files - stripped
> > synscan7: Same but compiled for RedHat 7 - stripped
> > w62: venglin wu-ftpd exploit - stripped
> > w7: Same but compiled for RedHat 7 - stripped
> > wh.sh: Driver script to call the "s" and "w" binaries against a given
> > target
> > wu62: Apparently only included by mistake. "strings" shows it to be
> > very similar to w62; nowhere is this binary ever invoked.
> >
> > Lucy E. Lynch Academic User Services
> > Computing Center University of Oregon
> > llynch at darkwing.uoregon.edu (541) 346-1774
> > Cell: (541) 912-7998 5419127998 at mobile.att.net
More information about the NANOG
mailing list